How to spot a phishing email.
Cyber criminals contact businesses by email, text, and phone, usually pretending to be someone you trust. Bad spelling and clumsy design used to be reliable warning signs. Scams have got sharper since then, and some now fool experienced staff. The five signals below cover most of what a suspicious message has in common, whatever it looks like on the surface.
Authority
Is the message claiming to be your bank, a supplier, a solicitor, or a government department? Criminals impersonate people and organisations you already trust, because a message that looks like it is from your bank gets opened and believed faster than one from a stranger.
Urgency
Are you told to act within 24 hours, or immediately, with a fine or another consequence threatened if you don't? Genuine organisations rarely demand an instant response by email.
Emotion
Does the message make you anxious, hopeful, or curious enough to click before thinking it through? Fear, hope, and curiosity are the three emotions scammers reach for most often, because each one short-circuits the pause where someone would normally check.
Scarcity
Is it dangling something in short supply, such as tickets, a refund, or a deal that seems too good to check first? Fear of missing out pushes people to respond quickly, which is exactly the point.
Current events
Does it reference something genuinely in the news, or a predictable seasonal moment such as a tax deadline? Criminals borrow real events to make a fake message feel timely and relevant.
How to check if a message is genuine.
If a message raises any of the signals above, stop before acting on it. Contact the organisation directly, using a phone number or website address you already know. Never use the number or link inside the suspicious message itself. A scammer who controls the message can just as easily control where that contact detail leads.
A genuine bank, government department, or supplier will never ask you to confirm a full password, PIN, or bank details by email, or over a phone call you didn't start yourself. Treat a request like that as a strong signal on its own, not just one more tick on a checklist.
Report it.
Reporting a suspicious email is free, takes a minute, and helps everyone else it would have reached next.
Forward it to Sender Registry
Forward the message and get a real, evidence-based assessment back, free, in minutes. Your report also strengthens the network's intelligence for every other business checking the same sender.
Report it to the NCSC (UK)
UK businesses can also forward suspicious emails directly to the National Cyber Security Centre's Suspicious Email Reporting Service. The NCSC investigates reports and has the power to take down confirmed scam senders and websites. When Sender Registry classifies a UK report as a phishing attempt, you can forward it to the NCSC with one click from your assessment screen, no need to send it a second time yourself.
This guidance is written in Sender Registry's own voice, informed by public guidance from the UK's National Cyber Security Centre (NCSC), part of GCHQ. NCSC's own source page was last reviewed by them on 5 September 2022 (version 2.0); Sender Registry checked it against the live page on 14 July 2026. Read the NCSC's original guidance →